Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-owncloud-maintain...@lists.alioth.debian.org
Please unblock package nextcloud-desktop [ Reason ] #987274: Fix CVE-2021-22879 [ Tests ] Installed it locally for several days, without issues. Did not got any reponse that things are broken. [ Risks ] nextcloud-desktop is a leaf package, so no other package can break. The diff is straight forward and small. [ Checklist ] [ x ] all changes are documented in the d/changelog [ x ] I reviewed all changes and I approve them [ x ] attach debdiff against the package in testing unblock nextcloud-desktop/3.1.1-2
diff -Nru nextcloud-desktop-3.1.1/debian/changelog nextcloud-desktop-3.1.1/debian/changelog --- nextcloud-desktop-3.1.1/debian/changelog 2021-01-19 14:56:40.000000000 +0100 +++ nextcloud-desktop-3.1.1/debian/changelog 2021-05-08 19:39:35.000000000 +0200 @@ -1,3 +1,13 @@ +nextcloud-desktop (3.1.1-2) unstable; urgency=medium + + * Add two upstream patches to fix CVE-2021-22879 (Closes: #987274): + 013f3cea70acfe7b701cb73c93744d5ff5c0c213 + e97b7d8a25d3ef0d8c52b6399f304a42a5d4f212 + into Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch + with small modifications to apply to the version in Debian + + -- Sandro Knauß <he...@debian.org> Sat, 08 May 2021 19:39:35 +0200 + nextcloud-desktop (3.1.1-1) unstable; urgency=medium [ Christian Göttsche ] diff -Nru nextcloud-desktop-3.1.1/debian/patches/0006-Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch nextcloud-desktop-3.1.1/debian/patches/0006-Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch --- nextcloud-desktop-3.1.1/debian/patches/0006-Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch 1970-01-01 01:00:00.000000000 +0100 +++ nextcloud-desktop-3.1.1/debian/patches/0006-Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch 2021-05-08 19:39:35.000000000 +0200 @@ -0,0 +1,268 @@ +From 013f3cea70acfe7b701cb73c93744d5ff5c0c213 Fri Feb 5 10:06:25 2021 +From: allexzander <blackslay...@gmail.com> +Date: Fri, 5 Feb 2021 10:06:25 +0200 +Subject: [PATCH] Validate sensitive URLs to onle allow http(s) schemes. + +Signed-off-by: allexzander <blackslay...@gmail.com> +--- + src/gui/accountsettings.cpp | 5 +++-- + src/gui/creds/flow2auth.cpp | 3 ++- + src/gui/creds/oauth.cpp | 3 ++- + src/gui/guiutility.cpp | 11 +++++++++++ + src/gui/owncloudgui.cpp | 3 ++- + src/gui/socketapi.cpp | 4 ++-- + src/gui/tray/ActivityListModel.cpp | 5 +++-- + src/gui/tray/UserModel.cpp | 10 ++++++---- + src/gui/wizard/owncloudwizardresultpage.cpp | 3 ++- + src/gui/wizard/webview.cpp | 3 ++- + 10 files changed, 35 insertions(+), 15 deletions(-) + +--- a/src/gui/accountsettings.cpp ++++ b/src/gui/accountsettings.cpp +@@ -36,6 +36,7 @@ + #include "encryptfolderjob.h" + #include "syncresult.h" + #include "ignorelisttablewidget.h" ++#include "guiutility.h" + + #include <cmath> + +@@ -705,8 +706,9 @@ void AccountSettings::slotForceSyncCurre + + void AccountSettings::slotOpenOC() + { +- if (_OCUrl.isValid()) +- QDesktopServices::openUrl(_OCUrl); ++ if (_OCUrl.isValid()) { ++ Utility::openBrowser(_OCUrl); ++ } + } + + void AccountSettings::slotUpdateQuota(qint64 total, qint64 used) +--- a/src/gui/creds/flow2auth.cpp ++++ b/src/gui/creds/flow2auth.cpp +@@ -25,6 +25,7 @@ + #include "theme.h" + #include "networkjobs.h" + #include "configfile.h" ++#include "guiutility.h" + + namespace OCC { + +@@ -146,7 +147,7 @@ void Flow2Auth::fetchNewToken(const Toke + { + case actionOpenBrowser: + // Try to open Browser +- if (!QDesktopServices::openUrl(authorisationLink())) { ++ if (!Utility::openBrowser(authorisationLink())) { + // We cannot open the browser, then we claim we don't support Flow2Auth. + // Our UI callee will ask the user to copy and open the link. + emit result(NotSupported); +--- a/src/gui/creds/oauth.cpp ++++ b/src/gui/creds/oauth.cpp +@@ -22,6 +22,7 @@ + #include <QJsonDocument> + #include "theme.h" + #include "networkjobs.h" ++#include "guiutility.h" + + namespace OCC { + +@@ -165,7 +166,7 @@ QUrl OAuth::authorisationLink() const + + bool OAuth::openBrowser() + { +- if (!QDesktopServices::openUrl(authorisationLink())) { ++ if (!Utility::openBrowser(authorisationLink())) { + // We cannot open the browser, then we claim we don't support OAuth. + emit result(NotSupported, QString()); + return false; +--- a/src/gui/guiutility.cpp ++++ b/src/gui/guiutility.cpp +@@ -27,6 +27,17 @@ Q_LOGGING_CATEGORY(lcUtility, "nextcloud + + bool Utility::openBrowser(const QUrl &url, QWidget *errorWidgetParent) + { ++ const QStringList allowedUrlSchemes = { ++ "http", ++ "https", ++ "oauthtest" ++ }; ++ ++ if (!allowedUrlSchemes.contains(url.scheme())) { ++ qCWarning(lcUtility) << "URL format is not supported, or it has been compromised for:" << url.toString(); ++ return false; ++ } ++ + if (!QDesktopServices::openUrl(url)) { + if (errorWidgetParent) { + QMessageBox::warning( +--- a/src/gui/owncloudgui.cpp ++++ b/src/gui/owncloudgui.cpp +@@ -28,6 +28,7 @@ + #include "accountmanager.h" + #include "common/syncjournalfilerecord.h" + #include "creds/abstractcredentials.h" ++#include "guiutility.h" + #ifdef WITH_LIBCLOUDPROVIDERS + #include "cloudproviders/cloudprovidermanager.h" + #endif +@@ -570,7 +571,7 @@ void ownCloudGui::slotToggleLogBrowser() + void ownCloudGui::slotOpenOwnCloud() + { + if (auto account = qvariant_cast<AccountPtr>(sender()->property(propertyAccountC))) { +- QDesktopServices::openUrl(account->url()); ++ Utility::openBrowser(account->url()); + } + } + +--- a/src/gui/socketapi.cpp ++++ b/src/gui/socketapi.cpp +@@ -499,7 +499,7 @@ void SocketApi::command_EDIT(const QStri + auto url = QUrl(data.value("url").toString()); + + if(!url.isEmpty()) +- Utility::openBrowser(url, nullptr); ++ Utility::openBrowser(url); + }); + job->start(); + } +@@ -772,7 +772,7 @@ void SocketApi::emailPrivateLink(const Q + + void OCC::SocketApi::openPrivateLink(const QString &link) + { +- Utility::openBrowser(link, nullptr); ++ Utility::openBrowser(link); + } + + void SocketApi::command_GET_STRINGS(const QString &argument, SocketListener *listener) +--- a/src/gui/tray/ActivityListModel.cpp ++++ b/src/gui/tray/ActivityListModel.cpp +@@ -26,6 +26,7 @@ + #include "folderman.h" + #include "iconjob.h" + #include "accessmanager.h" ++#include "guiutility.h" + + #include "ActivityData.h" + #include "ActivityListModel.h" +@@ -458,7 +459,7 @@ void ActivityListModel::triggerDefaultAc + QDesktopServices::openUrl(path); + } else { + const auto link = data(modelIndex, LinkRole).toUrl(); +- QDesktopServices::openUrl(link); ++ Utility::openBrowser(link); + } + } + +@@ -479,7 +480,7 @@ void ActivityListModel::triggerAction(in + const auto action = activity._links[actionIndex]; + + if (action._verb == "WEB") { +- QDesktopServices::openUrl(QUrl(action._link)); ++ Utility::openBrowser(QUrl(action._link)); + return; + } + +--- a/src/gui/tray/UserModel.cpp ++++ b/src/gui/tray/UserModel.cpp +@@ -8,6 +8,7 @@ + #include "configfile.h" + #include "notificationconfirmjob.h" + #include "logger.h" ++#include "guiutility.h" + + #include <QDesktopServices> + #include <QIcon> +@@ -647,7 +648,7 @@ Q_INVOKABLE void UserModel::openCurrentA + + const auto talkApp = currentUser()->talkApp(); + if (talkApp) { +- QDesktopServices::openUrl(talkApp->url()); ++ Utility::openBrowser(talkApp->url()); + } else { + qCWarning(lcActivity) << "The Talk app is not enabled on" << currentUser()->server(); + } +@@ -659,10 +660,11 @@ Q_INVOKABLE void UserModel::openCurrentA + return; + + QString url = _users[_currentUserId]->server(false); +- if (!(url.contains("http://") || url.contains("https://"))) { ++ if (!url.startsWith("http://") && !url.startsWith("https://")) { + url = "https://" + _users[_currentUserId]->server(false); + } +- QDesktopServices::openUrl(QUrl(url)); ++ ++ QDesktopServices::openUrl(url); + } + + Q_INVOKABLE void UserModel::switchCurrentUser(const int &id) +@@ -911,7 +913,7 @@ void UserAppsModel::buildAppList() + + void UserAppsModel::openAppUrl(const QUrl &url) + { +- QDesktopServices::openUrl(url); ++ Utility::openBrowser(url); + } + + int UserAppsModel::rowCount(const QModelIndex &parent) const +--- a/src/gui/wizard/owncloudwizardresultpage.cpp ++++ b/src/gui/wizard/owncloudwizardresultpage.cpp +@@ -17,6 +17,7 @@ + #include <QDir> + #include <QUrl> + ++#include "guiutility.h" + #include "wizard/owncloudwizardresultpage.h" + #include "wizard/owncloudwizardcommon.h" + #include "theme.h" +@@ -93,7 +94,7 @@ void OwncloudWizardResultPage::slotOpenS + { + Theme *theme = Theme::instance(); + QUrl url = QUrl(field("OCUrl").toString() + theme->wizardUrlPostfix()); +- QDesktopServices::openUrl(url); ++ Utility::openBrowser(url); + } + + } // namespace OCC +--- a/src/gui/wizard/webview.cpp ++++ b/src/gui/wizard/webview.cpp +@@ -16,6 +16,7 @@ + #include <QWebEngineCertificateError> + #include <QMessageBox> + ++#include "guiutility.h" + #include "common/utility.h" + + namespace OCC { +@@ -227,7 +228,7 @@ bool ExternalWebEnginePage::acceptNaviga + { + Q_UNUSED(type); + Q_UNUSED(isMainFrame); +- QDesktopServices::openUrl(url); ++ Utility::openBrowser(url); + return false; + } + +--- a/src/gui/guiutility.h ++++ b/src/gui/guiutility.h +@@ -26,7 +26,7 @@ namespace Utility { + * + * If launching the browser fails, display a message. + */ +- bool openBrowser(const QUrl &url, QWidget *errorWidgetParent); ++ bool openBrowser(const QUrl &url, QWidget *errorWidgetParent = nullptr); + + /** Start composing a new email message. + * +--- a/test/CMakeLists.txt ++++ b/test/CMakeLists.txt +@@ -96,7 +96,7 @@ list(APPEND RemoteWipe_SRC ${RemoteWipe_ + list(APPEND RemoteWipe_SRC stubremotewipe.cpp ) + nextcloud_add_test(RemoteWipe "${RemoteWipe_SRC}") + +-nextcloud_add_test(OAuth "syncenginetestutils.h;../src/gui/creds/oauth.cpp") ++nextcloud_add_test(OAuth "syncenginetestutils.h;../src/gui/creds/oauth.cpp;../src/gui/guiutility.cpp") + + configure_file(test_journal.db "${PROJECT_BINARY_DIR}/bin/test_journal.db" COPYONLY) + diff -Nru nextcloud-desktop-3.1.1/debian/patches/series nextcloud-desktop-3.1.1/debian/patches/series --- nextcloud-desktop-3.1.1/debian/patches/series 2021-01-19 14:46:46.000000000 +0100 +++ nextcloud-desktop-3.1.1/debian/patches/series 2021-05-08 19:39:35.000000000 +0200 @@ -3,3 +3,4 @@ 0003-Use-release-version-for-Debian.patch 0004-Revert-8fb673457b42-Add-a-button-to-create-a-debug-a.patch 0005-Please-blhc.patch +0006-Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch